On Thursday, changes to a little-discussed rule will go into effect and will expand the United States government’s surveillance capabilities after several attempts to halt the rule change failed.
The changes in question to Rule 41 of the Federal Rules of Criminal Procedure would grant judges the ability to issue warrants that would allow for remote access, search, seizure, or copying of data when the location of said data has “been concealed through technological means” or when the information is located on protected devices and have been “damaged without authorization and are located in five or more districts.”
The rule would grant this power to any judge in any district where activities related to the crime in question may have taken place.
On its face, the rule change may seem innocuous, but privacy advocates have been arguing for Congress to disavow the amended clause since it was first presented in April of this year.
The primary concern is the potentially overextending power the rule would grant judges issuing search warrants. The rule could be used to issue remote access warrants that would allow the FBI the ability to hack devices that are physically located out of their jurisdiction or overseas.
On a more fundamental level, privacy organizations like the Electronic Frontier Foundation (EFF) and Access Now believe the rule may present a threat to just about anyone using basic privacy tools like Virtual Private Networks (VPNs) or the Tor browser that can conceal a user's location and online activities.
In a blog post, EFF’s activism director Rainey Reitman warned the rule could be applied to even more basic levels than that, stating to could extend to “people who deny access to location data for smartphone apps because they don’t feel like sharing their location with ad networks” or to those who change their country setting in an online service like Twitter.
The rule could also have implications for users who are compromised by malicious software and made the victim of someone else’s activity.
For example, the botnet that took down major web services earlier this year via distributed denial of service attacks utilized hacked Internet of Things devices to deploy its bombardment. The changes to Rule 41 could give federal agents the ability to remotely access any computers or devices—and all the personal information stored within—used in that attack as part of an investigation, even if the only crime of the device owner was falling victim to a hack.
The ill-defined parameters of the tweaked Rule 41 leaves a considerable amount of room for overreach, leaving much to the jurisdiction of a judge who may or may not know exactly how much leeway they are granting to government agencies.
An attempt to prevent the rule changes from being implemented was put forth by Democratic Senator Ron Wyden of Oregon. The senator attempted to put forth three challenges that would block or delay the rule change, and was bolstered by the support of Democratic Senator Chris Coons of Delaware and Montana Republican Senator Steve Daines.
The effort was blocked by Republican Senator John Cornyn of Texas, which allowed the rule change to pass. It will go into effect starting Dec. 1.
“It's unfortunate that Congress refused to consider changes to Rule 41 before they go into effect, but this is far from the end of the conversation,” Nathan White, the senior legislative manager at Access Now told IBTimes. “Changes to Rule 41 were sought to make it easier for law enforcement to conduct hacking operations. However, Congress has never explicitly authorized government hacking at all. In fact, in many cases hacking is inconsistent with human rights and the United States' international treaty obligations.”
White called for the incoming Congress to consider legislation that places limits on the government’s hacking ability and encouraged them to take into account the rights and responsibilities of the parties involved in hacking cases.
“Access Now has begun the discussion by publishing a report on the human rights implications of government hacking, but it's time for Congress to do its job,” he said. “Law enforcement must adapt to the digital world. It's a shame we have to drag Congress into a conversation it should be leading.”